getpwent(3) bug -- security hole
Bruce Nemnich
bruce at godot.UUCP
Thu Sep 20 04:52:44 AEST 1984
There was some discussion a few months ago about a problem with null
entries in /etc/passwd. These can be caused by running chfn or chsh on
a passwd file which has a blank line, often mistakenly left at the end
of the file by humans. It presents a gaping security hole if it happens.
The problem is in getpwent(3). There are two parts to my fix: the first
keeps a newline from getting in a field in the returned structure if not
all fields are filled out on the passwd line, and the second ignores
leading whitespace and blank lines.
*** /tmp/,RCSt1014083 Wed Sep 19 14:38:06 1984
--- getpwent.c Wed Sep 19 14:08:15 1984
***************
*** 28,34
pwskip(p)
register char *p;
{
! while( *p && *p != ':' )
++p;
if( *p ) *p++ = 0;
return(p);
--- 28,34 -----
pwskip(p)
register char *p;
{
! while( *p && *p != ':' && *p != '\n')
++p;
if( *p ) *p++ = 0;
return(p);
***************
*** 43,51
if( (pwf = fopen( PASSWD, "r" )) == NULL )
return(0);
}
! p = fgets(line, BUFSIZ, pwf);
! if (p==NULL)
! return(0);
passwd.pw_name = p;
p = pwskip(p);
passwd.pw_passwd = p;
--- 43,55 -----
if( (pwf = fopen( PASSWD, "r" )) == NULL )
return(0);
}
! do {
! p = fgets(line, BUFSIZ, pwf);
! if (p==NULL)
! return(0);
! /* skip whiteness at beginning of line */
! while (*p == '\t' || *p == ' ' || *p == '\n') p++;
! } while (*p == '\0'); /* skip blank lines */
passwd.pw_name = p;
p = pwskip(p);
passwd.pw_passwd = p;
--
--Bruce Nemnich, Thinking Machines Corporation, Cambridge, MA
{astrovax,cca,harvard,ihnp4,ima,mit-eddie,...}!godot!bruce, BJN at MIT-MC.ARPA
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list